Tag Archives: Malicious

Breach details

Customer records containing payment card data including CVV2/CVC2 data were extracted from a public-facing website by a malicious attacker.

How much

93,389 customer details containing 110,096 payment card records.

When

14 October 2013

Why

A malicious attacker used a publicly known (since 2010) vulnerability in the JBoss Application Server to install a backdoor in the Staysure web server. This allowed the attacker to access and download all data stored within the system which included over three million customer records, although it appears that only payment card data was targeted by the attacker.

Regulatory action

Regulator

ICO

Action

Monetary penalty of £ 175,000.

When

20 February 2015.

Why the regulator acted

Breach of act

Breach of the fifth data protection principle in that it was recognised that old payment card data should have been deleted, this activity was planned however due to human error it was not completed.
Breach of the seventh data protection principle as systems and processes were not in place to update software. Additionally PCI DSS prohibits the storage of CCV2/CvC2 data.

Known or should have known

The Data Controller was aware of the Payment Card Industry (PCI) Data Security Standard (DSS) which requires security update management and prohibits storage of CVV2/CVC2. The patch to JBoss was available from the RedHat distribution and so the Data Controller should have know about its availability. Given the Data Controller processed payment card data it should have been aware that a breach of this data would be liable to cause its customers substantial damage and distress.

Likely to cause damage or distress

Of the payment card data stollen, the Commissioner was aware that over 5,000 such payment cards were used to commit fraudulent transactions. Although the fraudulent transactions were reimbursed by the Data Subject’s bank, the Commissioner is of the opinion that distress had in fact occurred.

Breach details

What

Customer records containing encrypted payment card data including CVV2/CVC2 data were extracted from a public-facing website by a malicious attacker.

How much

3,814 records.

When

18 June 2013

Why

A single web server also contained the customer database and the WordPress content management system. A malicious attacker used SQL injection techniques to extract the WordPress password hashes which the attacker was then able to brute force due to the use of weak passwords. The attacker was then able to extract records from the database including encrypted payment data, however the encryption keys were stored on the same drive as the encrypted data and therefore available to the attacker.

Regulatory action

Regulator

ICO

Action

Monetary penalty of £ 7,500.

When

31 October 2014.

Why the regulator acted

Breach of act

Breach of the seventh principle in that insufficient technical and organisational measures were taken. The ICO highlighted:

Developer training

Security testing of web pages

Use of default passwords

Encryption/Decryption key management

Known or should have known

The Data Controller was aware of The Payment Card Industry (PCI) Data Security Standard (DSS) and therefore should have been aware of the risks and the recommended controls.Given the nature of the information stored, it should have also been obvious to the Controller that a breach in security would be liable to cause damage or distress to the data subjects.

Likely to cause damage or distress

The ICO argues that the loss of payment card data could lead to fraud and substantial damage to the data subjects affected (even though there was no evidence of this). The knowledge of the loss of their personal data would cause ‘substantial distress’ to a data subject.

A malicious hacker was able to access significant amounts of customer data, including credit card details, after targeting Think W3 Limited’s website.

How much

1,163,996 records containing credit or debit card details, of which 430,599 were current.

When

21 December 2012.

Why

A system intended for internal purposes was installed on the same web-sever as the businesses e-commerce application containing customer data. In order to facilitate working from home this service could be accessed via a login page on a non-customer facing website which was publicly available over the internet. The login page was not secure due to a coding error that was missed, as no security testing had been done the basis that this page was not public facing. The hacker was able to exploit this vulnerability and gain administrative access to all the data on the web server.

Regulatory action

Regulator

ICO

Action

Monetary penalty of £150,000

When

23 July 2014.

Why the regulator acted

Breach of act

Breach of the Seventh Data Protection Principle: Think W3 limited failed to take appropriate technical measures to ensue the security of personal data, predominately though failing to undertake suitable security testing, due to a failure to understand the extent to which the web server could be accessed via the internet, or to meet PCI DSS compliance requirements.

Known or should have known

By 2011 Think W3 Limited were aware of a number of issues with its PCI DSS compliance, causing them to review their security practises. However they were slow in implementing improvements, despite being aware of the risk of contravention.

Likely to cause damage or distress

Although CCV2 / CvC2 values were not obtained, the data obtained was clearly of interest to the attacker, due to the targeted nature of the attack, and could be used for fraudulent purposes. The data subjects would rightly be distressed to learn that their data had been accessed by a malicious third party.

Breach details

What

Breach of the Privacy and Electronic Communications Regulations (PECR).
A high volume of unsolicited marketing calls from two companies both owned by “Save Britain Money Ltd” to consumers that had registered with the Telephone Preference Service (TPS) that continued despite customer complaints and requests to unsubscribe.

How much

An unknown number of direct marketing calls resulting in over 2,700 complaints to the TPS or ICO.

When

May 2011 – December 2012

Why

Did not screen outbound calls against the TPS register.

Regulatory action

Regulator

ICO

Action

Nationwide Energy Services: Monetary penalty of £ 125,000

We Claim you Gain: Monetary penalty of £ 100,000

When

17 June2013

Why the regulator acted

Breach of act

Breach of Regulation 21: repeatedly ignored provisions that marketing calls should not be made to individuals who had registered with TPS.

Known or should have known

Both companies had been repeatedly contacted by the TPS and ICO and were made aware they were in contravention of the Act. The TPS contacted Nationwide Energy Services on 1,601 occasions and We Claim You Gain 1,070 times.

Likely to cause damage or distress

The sheer volume of complaints should have indicated that distress would be caused and individual complaints to the ICO detailed varying degrees of actual distress.

Breach details

A server hosting part of The Sun newspaper’s website had, unnoticed by the data controller, been repurposed several years earlier, and was subsequently compromised by a malicious attacker (Lulzsec). Further weaknesses had also been identified but remained unrectified prior to the attack.

BW Comments

It is surprising that a large organisation such as News Group Newspapers made such simple information security mistakes. Firstly in retaining data they no longer needed when they re-built a server for a new role, but more worryingly that they had previously had a penetration test but had not rectified the vulnerabilities identified by the tester.

Regulatory action

Regulator

ICO

Action

Undertaking to comply with the fifth and seventh data protection principles

When

9 November 2011

Details

Along with the usual staff awareness and training, technical security controls on the web server were to be improved and implemented by 31 December 2011 (i.e. compliance with the seventh principle), and any customer data collected to be cleared regularly according to a defined retention and disposal policy (compliance with the fifth principle).

BW Observations

This undertaking was not released until the criminal trial of the UK-based Lulzsec hackers was concluded. It is interesting that the ICO didn’t see fit to consider a monetary penalty notice as the breach appears to meet the right criteria.

There was a breach of the fifth and seventh principles.

There had been a previous penetration test, so the Sun knew of the vulnerability.

It seems that a significant volume of data was lost and then circulated on the Internet. Although it wasn’t sensitive personal data, the volume of the data should be enough to pass the ‘likely to cause distress’ test especially given the data was posted to the Internet — i.e. the breach of confidentiality happened, it was not something that might happen if the lost data were exposed.

This undertaking should be contrasted with the Sony MPN that was also the result of Lulzsec’s activities and it will be informative to see if the ICO’s choice of an undertaking for the Sun is mentioned at Sony’s appeal to the Information Tribunal. Less charitable commentators may view this soft approach to News Group Newspapers as another example of the Commissioner’s fear of the UK press.

Breach details

What

Names and email addresses.

How much

About 175 records.

When

3 October 2012 or earlier

Why

The email service provider that the practice used wasn’t suitable to send sensitive medical results because it didn’t provide the appropriate technical security measures. As a result the practice’s email account was hacked.

BW Comments

Organisations should view this as an indication that if cloud-based, web-email services are used, services that offer two-factor authentication (e.g. Google Authenticator) should be selected.

Regulatory action

Regulator

ICO

Action

Undertaking to comply with the seventh data protection principle

When

26 April 2013

Details

The practice must use secure means of communication for test results – email can only be used if its security can be guaranteed. A security policy that is adequate to transfer patient data securely must be put in place, and staff must be made aware of this and trained.

BW Observations

Based on previous decisions, the loss of 175 medical records would seem to be a candidate for a Monetary Penalty rather than an undertaking. However, in this case the Commissioner would have struggled to satisfy the ‘known or should have known’ test given that most people (incorrectly) assume their email is generally safe from third party attack.

Breach details

What

Serious breach of the Privacy and Electronic Communications Regulations (PECR).
A high volume of unsolicited marketing calls to consumers that had registered with the Telephone Preference Service (TPS) that continued despite customer complaints and requests to unsubscribe.

How much

An unknown number of direct marketing calls resulting in 1,945 TPS complaints and an unspecified number of complaints directly to the ICO.

When

June 2011 to November 2012

Why

Ignored requirement to screen call lists against the Telephone Preference Service (TPS) or maintain an opt-out register.

BW Comments

After initial contact from the ICO, the unsolicited calls continued and some reported to the Commissioner were described as aggressive.

Regulatory action

Regulator

ICO

Action

Monetary penalty of £90,000

When

20 March 2013

Why the regulator acted

Breach of act

Breach of Regulation 21: repeatedly ignored provisions that marketing calls should not be made to individuals who had registered with TPS.

Known or should have known

Concerns over PECR obligations were first raised by the Commissioner in 2004. The volume of complaints made before and after the Commissioner’s letter of May 2012 would have made the company aware that they were continually breaching regulations.

Likely to cause damage or distress

The overall level of distress was assessed as substantial due to the very large numbers of individuals affected. A small number of individuals also personally suffered substantial levels of distress.

BW Observations

That DM Design breached the PECR by not screening against the the TPS register and maintaining their own opt-out list is not debatable. The volume of calls and complaints are significant (although we are not told what the average or maximum level of complaints are to the TPS in respect of a company other than “they [DM Design] were one of the organisations about which the most complaints were received”). What’s interesting is the ICO again used the same justification as the Tetrus Telecommunications MPN to determine the s55A(1)(b) ‘substantial damage or distress test’ – that although the distress in each individual case was not considerable, the cumulative effect of the distress caused by the totality of all calls made in contravention of PECR met the Commissioner’s threshold of substantial distress.

In what was perhaps one of the most infamous breaches in recent times, attackers deliberately breached the Sony Playstation Network Platform security and compromised the confidentiality of the information stored.

BW Comments

This is the most heavily redacted monetary penalty notice published by the Commissioner. The details of the breach in the MPN are superficial, although there is much general information available elsewhere on the Internet. Essentially the attackers exploited a system vulnerability and extracted data including personal data, poorly-hashed passwords and encrypted payment card data. The MPN makes it clear that the exploited vulnerabilities were publicly known, and that ‘appropriate updates were available’.

The lessons that all organisations can learn are simple:

Patch systems regularly.

Run regular external vulnerability scans against systems.

Regulatory action

Regulator

ICO

Action

Monetary penalty of £ 250,000

When

14 January 2013

Why the regulator acted

Breach of act

Breach of the seventh principle: the data controller failed to ensure appropriate technical measures were taken against unauthorised or unlawful processing of personal data stored on the Newwork Platform, such as additional cryptographic controls to protect passwords and regular patching of vulnerabilities.

Known or should have known

Various Sony online networks had previously been the subjects of attacks from hacktivist organisations.
Vast amounts of personal data including financial information were stored on the Network Platform, where system vulnerabilities had not been addressed. The data controller should have anticipated a further attack and, given Sony’s technical expertise, should have put the necessary technical measures in place.

Likely to cause damage or distress

It should have been obvious to the data controller that the loss of the substantial volume of personal data held on the Network Platform was likely to cause substantial harm or substantial distress to the data subjects.

BW Observations

A lack of basic security practices such as poor vulnerability management and what can only be assumed to be weak password hashes (at a guess, unsalted MD5) are sufficient to justify a MPN, especially when you consider the number of accounts and the attractiveness to an attacker. The amount could be seen as excessive given that no sensitive personal data was compromised, however it has to be remembered that some 77 million records were compromised. It is the sheer volume of the data breach that influenced the Commissioner.

The ICO correctly observed that the poorly-hashed passwords may be able to be used by the attackers to compromise customer’s accounts at other sites where the customer used the same username and password. This appeared to influence his thoughts on the size of the monetary penalty. However it is interesting to consider whether the poor password management practices of consumers should affect how an organisation chooses to value, and therefore protect, stored passwords. Should passwords be valued as a credential for just the single site, or valued (and protected accordingly) because it is known that many customers’ passwords will also be able to be used to access unrelated sites?

It has been reported that Sony intends to appeal the MPN to the Information Tribunal and although an appeal was initially launched, this was later withdrawn.